Login Sign Up

CVE-2024-28537

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a stack overflow vulnerability in Tenda AC18 routers that allows remote attackers to execute arbitrary code or cause denial of service. The vulnerability exists in the fromNatStaticSetting function's page parameter handling. Users with Tenda AC18 routers running vulnerable firmware are affected.

💻 Affected Systems

Products:
  • Tenda AC18
Versions: V15.03.05.05
Operating Systems: Embedded Linux (router firmware)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects this specific firmware version. Other Tenda models or versions may not be vulnerable.

📦 What is this software?

Ac18 Firmware by Tenda

View all CVEs affecting Ac18 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, network takeover, and lateral movement to connected devices.

🟠

Likely Case

Router crash/reboot causing network disruption, or limited code execution allowing attacker persistence on the device.

🟢

If Mitigated

Denial of service only if exploit attempts are blocked but overflow still triggers.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices with web interfaces accessible from WAN.
🏢 Internal Only: MEDIUM - Attackers could exploit from internal network if they gain access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public GitHub repository contains proof-of-concept. Stack overflow vulnerabilities in embedded devices often have reliable exploitation paths.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. If update available, download and install via router web interface. 3. Reboot router after installation.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router web interface

Access router admin panel → System Tools → Remote Management → Disable

Network segmentation

all

Isolate router management interface from untrusted networks

🧯 If You Can't Patch

  • Replace router with different model/brand that receives security updates
  • Place router behind firewall with strict inbound rules blocking web interface access

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or System Tools → Firmware Upgrade

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Verify firmware version is different from V15.03.05.05 after update

📡 Detection & Monitoring

Log Indicators:

  • Repeated connection attempts to router web interface
  • Unusual POST requests to NAT configuration endpoints
  • Router crash/reboot logs

Network Indicators:

  • Unusual traffic to router port 80/443 from external IPs
  • HTTP requests with long parameters to /goform/NatStaticSetting

SIEM Query:

source_ip:external AND dest_ip:router_ip AND (http_uri:"/goform/NatStaticSetting" OR http_user_agent_contains:"exploit")

📊 Metadata

CVE ID: CVE-2024-28537
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-125
Published: March 18, 2024
Last Updated: March 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28537, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)